HTML5 Security Risks

Using HTML5 for mobile apps can save costs and provide users with a common experience. But HTML5 comes with its own set of security issues.

Several key facets of the HTML5 platform can increase the surface area for security compromises, which may affect the enterprise through apps developed either in-house or by third parties.

Local storage: Before HTML5, cookies were the only way websites could store local data on the client side. But cookies are limited in multiple ways, whereas HTML5 local storage offers a more robust client-side storage solution, including a relational database with SQL access. With client-side storage, HTML5 apps can be both more sophisticated and faster than their web-based predecessors. Users can access key data offline, and apps can manipulate data without network bottlenecks.

But the data stored on the client side will also be more vulnerable to compromise. Hackers who slip through the “same origin rule” that protects access to local storage could extract sensitive data and leak it to malicious servers. In the mobile realm, physical loss or theft of smartphones and tablets could put sensitive data directly into hackers' hands.

This means that using HTML5 local storage to store sensitive data must go hand in hand with security awareness. This might include siloing the most sensitive data to session-only storage (which is destroyed with app exit), or employing the same robust encryption techniques that would be used to store sensitive data on servers.

Cross-Origin Resource Sharing (CORS): A complex subject whose intricacies threaten to trip up developers, CORS is the rules mechanism that defines which data apps can interact with. Before HTML5, this security policy was known as the Same Origin Policy, and it required that web apps interact with code and content delivered from a common parent server to limit the opportunity for hackers to inject malicious data. CORS expands the limitations of the SOP and provides a more sophisticated syntax by which developers can define which origins are allowed to interact with which app behaviors.

The security risk here is not CORS itself but the opportunity for developers to misuse it, writing rules that are either too broad or too vulnerable to exploitation, giving hackers an in-road to cross-site scripting (XSS) attacks and other forms of data hijacking.

WebSockets: HTML5 WebSockets feature an asynchronous, full-duplex network connection directly between web client and server, enabling “push” communications originating from the server. This technology significantly reduces bandwidth for what would be polling-intensive apps, promising payoff in both reduced data usage and app performance. But WebSockets are, at least currently, opaque to many network security tools, which may rely on packet inspection to qualify traffic. In short, use of WebSockets may dilute the effectiveness of present-day network security defenses like web application firewalls.

HTML5 is not inherently insecure, but enterprises that use it need to look at it like using a Swiss Army Knife -- the new features promise great utility, but also more ways to cut yourself.

HTML5 seems to be a large step in making the storage of temporary files much more efficient. Having a larger cache for applications for mobile devices has been a problem ever since they came on the market as upon exit, the data would get lost.

What I, however, do not understand is why a solution to the danger of hacking would be to delete the files upon exit of the application, would this not defy the purpose of the whole thing?

"HTML5 is not inherently insecure, but enterprises that use it need to look at it like using a Swiss Army Knife -- the new features promise great utility, but also more ways to cut yourself."

One of the best analogies I've heard to date regarding HTML5. I took a web developement class last two semesters ago and my professor commented with a similar sentiment on this subject. But like most new code/etc you find many people jumping on board with the features with little regard for security.

'Patching loopholes' are not getting the priorities as they should have gotten. These days, we are looking for more 'bells & whistles', and finally we find ourselves in awkward situation when these loopholes show up.

The blogs and comments posted on EnterpriseEfficiency.com do not reflect the views of TechWeb, EnterpriseEfficiency.com, or its sponsors. EnterpriseEfficiency.com, TechWeb, and its sponsors do not assume responsibility for any comments, claims, or opinions made by authors and bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.

Enterprise Efficiency is looking for engaged readers to moderate the message boards on this site. Engage in high-IQ conversations with IT industry leaders; earn kudos and perks. Interested? E-mail: moderators@enterpriseefficiency.com

Dell's Efficiency Modeling ToolThe major problem facing the CIO is how to measure the effectiveness of the IT department. Learn how Dell’s Efficiency Modeling Tool gives the CIO two clear, powerful numbers: Efficiency Quotient and Impact Quotient. These numbers can be transforma¬tive not only to the department, but to the entire enterprise. Read the full report

Now that TGen has broken new ground in genomic research by using Dell's storage, cloud, and high-performance computing solutions, the company discusses what will come next for it and for personalized medicine.

The Translational Genomics Research Institute wanted to save lives, but its efforts were hobbled by immense computing challenges related to collecting, processing, sharing, and storing enormous amounts of data.

Office and personal productivity tools come in a first-class and coach flavor set, but what makes the difference is primarily little things that most users won't encounter. What's the big issue in using something other than Office, and can you get around it?

We really don't want an "Internet of Everything" but even building an Internet of Everythinguseful means setting some ground rules to insure there's value in the process and that costs and risks are minimized.

Google's Chrome OS has a lot of potential value and a lot of recent press, but it still needs something to make it more than a thin client. It needs cloud integration, it needs extended APIs via web services, and it needs to suck it up and support a hard drive.

On a recent African trip I saw examples of the value of the cloud in developing nations, for educational and community development programs. We could build on this, but not only in developing economies, because these same programs are often under-supported even in first-world countries.

VMware's debate with Cisco on SDN might finally create a fusion between an SDN view that's all about software and another that's all about network equipment. That would be good for every enterprise considering the cloud and SDN.

Wearing a bulky, oversized watch is good training for the next phase in wristwatches: the Internet-enabled, connected watch. Why the smartphone-tethered connected watch makes sense, plus Ivan demos an entirely new concept for the "smart watch."

Cloud storage costs are determined primarily by the rate at which files are changed and the possibility of concurrent access/update. If you can structure your storage use to optimize these factors you can cut costs, perhaps to zero.

The Internet has evolved into a machine for drumming up a chorus of "Happy Birthday" messages, from family, friends, friends of friends who you added on Facebook, random people that you circled on G+, and increasingly, automated bots. Enough already.